Communications among multi-party must be fast, cost effective and secure. Today’s computing environments such as internet conference, multi-user games and many more applications involve multi-party. All participants together establish a common session key to enable multi-party and secure exchange of messages. Multi-party password-based authenticated key exchange scheme allows users to communicate securely over an insecure network by using easy-to-remember password. Kwon
et al.
proposed a practical three-party password-based authenticated key exchange (3-PAKE) scheme to allow two users to establish a session key through a server without pre-sharing a password between users. However, Kwon
et al.
's scheme cannot meet the security requirements of key authentication, key confirmation and anonymity. In this paper, we present a novel, simple and efficient multi-party password-based authenticated key exchange (
M
-PAKE) scheme based on the elliptic curve cryptography for mobile environment. Our proposed scheme only requires two round-messages. Furthermore, the proposed scheme not only satisfies security requirements for PAKE scheme but also achieves efficient computation and communication.

Password authenticated key exchange (PAKE) studies how to establish secure communications between two or more parties solely based on their password. The key challenge with password-based schemes is that the memorable password, associated with each user, has low entropy. It is not easy to protect the password information against dictionary attacks whereby an adversary ends up with the correct password after exhaustively testing all possible passwords against known password verifiers. Therefore, the intrinsic problem in designing PAKE schemes is to preserve password security against dictionary attacks.

In 1992, Bellovin and Merritt first proposed the two-party PAKE protocol (2-PAKE) [1], where two entities A and B share a human-memorable password to establish a common session key. Because 2-PAKE protocol is not suitable for the large peer-to-peer architecture, many researchers on the topic have concentrated on proposing schemes that either extend Bellovin and Merritt’s scheme into three-party applications or have better performance. Three-party password-based authenticated key exchange protocol (3-PAKE) is a simple and an important mechanism that allows each user to choose his own password and to share with the server. In a 3-PAKE scheme, it requires a trusted server which shares an easy-to-remember password with each user. However, as a result of limited ability of memory of human, people prefer natural language phrases as their own secret passwords. This will make 3-PAKE scheme becomes vulnerable to password guessing attacks [2]. Furthermore, the number of transmission rounds and computational complexities are two important criteria of 3-PAKE for describing the system performance [3-5].

Chang and Chang proposed a robust and efficient 3-PAKE protocol by using trapdoor one-way function [9] in 2004. Later, Chen et al.[10] and Yoon et al.[11] pointed out that Chang and Chang’s scheme cannot resist undetectable on-line password guessing attacks and proposed an enhancement schemes to solve the security problem separately. However, Lo and Yeh [12] pointed out that both of these two schemes proposed by Chen et al. and Yoon et al. are still vulnerable against the undetectable on-line password guessing attacks.

In 2005, Abdalla et al. proposed a formal security model of 3-PAKE with different passwords [13]. From the viewpoint of the rounds/computational complexities, Abdalla et al.’s scheme requires six rounds and more than 17 modular exponentiations per user in the standard model. To improve the efficiency of the above scheme, Abdalla et al. presented a tailor-made protocol [14]. But they fail to resist to undetectable on-line dictionary attack. The authors count this attack in the number of queries for message modifications which are limited to certain numbers.

In 2008, Kwon et al. proposed a password-based 3-PAKE scheme with different passwords that achieves forward secrecy in the standard model [15]. Their scheme requires four rounds to achieve authentication between users and the server. Besides, their scheme does not provide key authentication, key confirmation and user anonymity. In 2012, we proposed a PAKE scheme for multi-party setting to meet the above security requirements and the efficiency is greatly [16]. The latest survey of 3-PAKE issues is presented in [17-23].

With the emergence of mobile environment, conventional 3-PAKE protocols face two common problems. The first problem is that the server and users are not in the same domain, and therefore, the shared authenticated keys may be unknowingly compromised. In addition, conventional 3-PAKE protocols require higher on-line communication cost and computational cost during session key agreement, which can create excessive overheads for user using device with low computational capacity.

Despite recent researches aimed at reducing the computation and energy costs of public key operations/protocols, which are successfully applied in traditional wired networks, are not suitable in low‐power devices, such as mobile networks/WSNs [24,25]. Although RSA is well established, the elliptic curve cryptography (ECC) is still more commercial importance and has attracted attention because of a smaller key size, reducing storage, low on CPU consumption, and transmission requirements [26].

In this paper, we will propose a multi-party PAKE (M-PAKE) scheme based on the ECC for mobile environment. Our proposed scheme achieves better performance by requiring only two round-messages and meets security requirements. The proposed scheme is more efficient than previously proposed schemes in terms of the computational complexities and the communication costs. Furthermore, our proposed scheme provides security from entity authentication, confidentiality of private/session key, forward secrecy, user anonymity, key authentication, and key confirmation.

Organization of this paper is sketched as follows. Section 2, we revisit the password-based 3-PAKE scheme of Kwon et al. We then present our proposed scheme in Section 3. The security analysis and the performance evaluation will in Section 4. Finally, a conclusion is given in Section 5.

2. Revisiting Kwonet al.’s 3-PAKE scheme

In this section, we show that the 3-PAKE scheme [15] of Kwon et al. Their scheme requires four rounds to achieve authentication between users and the server.

Initialization.Each userUi∈Ufori∈{1,2} obtainspwiin the beginning of the scheme by using a password generation algorithmPG(1k). Based on the decisional Diffie-Hellman assumption, letp'andq'be safe primes such thatp'=2q'+1. Letg1andg2be generators of a finite cyclic groupGhaving orderq'. LetH( ) be a hash function,F( ) be a secure pseudorandom function family, andMACK(m) be a message authentication code function, wheremis a message andKis a key. Assume that each userUiand serverShave sharedmodp'the public information (G,p',q',g1,g2,H(),F()), and the identities of users exchanging a session key.

Round 1.Each userUichooses a random numbercomputesPWimodp'and sends (Ii,XiS) to the ServerS, whereIiis the identity information of the userUi. Then,Schooses random numbercomputesPWimodp'fori= {1,2}, and broadcasts (IS,XS1,XS2), whereISis the identity information of the serverS.

Kwon et al.'s scheme does not provide key authentication, key confirmation and user’s anonymity. The identity Ii of user Ui is transmitted in plaintext. Accordingly, the user privacy can be intruded upon easily, especially in mobile environment. In terms of key confirmation, after the session key sk is distributed to each user Ui, Kwon et al.'s scheme is not convinced that Ui actually possesses the session key sk. In addition, for mobile environment the efficiency of authenticated key exchange should be one of the core considerations. Nevertheless, the modulus operation used in Kwon et al.'s scheme is expensive.

3. The Proposed Scheme

In this section, we present the proposed M-PAKE scheme with privacy preservation for mobile environment. The logical architecture for proposed M-PAKE scheme is shown in Fig. 1. Without loss of generality, let U = {U1,U1,...,Un} be a set of n users, S be a trusted server, and M = n + 1 be the total amount of the communication parties. Using users’ password PW1,PW2,...,PWn secretly shared with server S, the users in the set U can cooperate to generate a valid session key. The notations used in the proposed M-PAKE scheme are listed in Table 1. The proposed M-PAKE scheme consists of three phases: the system setup, the user registration, and the multi-party PAKE. We outline these phases shown in the proposed scheme, and detailed descriptions of these phases are given below sub-sessions.

Phase 2.User registration phase: Each user must register in trusted server before multi-party PAKE. The trusted server cooperates with the registering user to generate the shared password between the registering user and the trusted server.

Phase 3.Multi-party PAKE phase: Using only two round-messages, all participating users will cooperative with the trusted server to generate the secret session key.

● Each participating user sends his authenticator and session key contribution to trusted server. The trusted server can authenticate the legitimacy of all participating users and generate the session key derivation information.

● The trusted server sends his authenticator and session key information to each participating user. All participating users can authenticate the legitimacy of the server and explicitly verify the authenticity of the established session key.

- 3.1 System setup phase

Initially, the server S determines a large prime p and a non-supersingular elliptic curve ECp(a,b) as y2 = x3 + ax + b(mod p), where a,b ∈RZ*p and 4a3 + 27b2 mod p ≠ 0. The server S further determines a large prime q and a base point G of order q over ECp(a,b), where q is a divisor of the number of points on the elliptic curve ECp(a,b). Let O be a point at infinity over ECp(a,b) Qi,x/Qi,y be the x-coordinate/y-coordinate of the point Qi, and H1,H2,H3,H4 be secure one-way hash functions that accepts a variable length input and produces a fixed length output which is over GF(q). The private and public keys for the server S are respectively defined as xs and YS, where xs ∈RZq and YS = xsG. Let E/D be the secure symmetric encryption/decryption function. Finally, the server S publishes (p,qECp(a,b),O,H1,H2,H3,H4,G,YS,E,D) while keeps xs secret.

- 3.2 User registration phase

When a user Ui wants to use the multi-party PAKE service, he has to register beforehand to the trusted server S. The user Ui obtains pwi at the start of the scheme by using a password generation algorithm PG(1l), where l is the bit length of password pwi When subscribing to the multi-party PAKE service, the user Ui will receive the pwi = H1(Ii║IS║pwi)G secretly shared between the user and the server, the identity Ii and the public information (p,q,ECp(a,b),O,H1,H2,H3,H4,G,YS,E,D).

- 3.3 Multi-party PAKE phase

The multi-party PAKE phase requires only two round-messages. Without loss of generality, let U = {U1,U1,...,Un} be the set of n users that want to agree on a secret session key shared among them. All the users will cooperative with a trusted server S to generate the secret session key. The procedure for the M-PAKE phase is stated as follows (as depicted in Fig. 2).

Step 2.The trusted serverSauthenticates the legitimacy of all participating users and generates the session key derivation information by performing the following sub-steps.

Step 2-1.Upon receiving (Ri,Ci,ti) fromUiat the timeTi, (fori= 1,2,...n)Sverifies the validity of the time interval betweentiandTi. If (Ti-ti) ≥ ΔTthenSrejects the request, where ΔTdenotes the expected valid time interval for transmission delay.

Step 2-2.The serverScomputesAi=xsRi,mi=DAi,x(Ci) and verifies the legitimacy of the userUi. Ifmaci=H2(Ai.x║PWi,x║Ii║ti) does not hold,Srejects the request.

Step 3.Upon receivingts,(Ys,i,δi)|i=1,2,...,nat the timeTi', each userUiverifies the validity of the time interval between tS andTi'. If(Ti'-tS) ≥ΔT, whereΔTdenotes the expected valid time interval for transmission delay, thenUirejects the request. If it holds, userUicomputes),K=H3(RS║Y(S,1).x║Y(S,2).x║…║Y(S,n).x║tS), and verifies. If it holds,Uiaccepts the session keyK. Otherwise,Uirejects the request.

4. Security Analysis and Performance Evaluation

- 4.1 Security analysis

The security of the proposed scheme is based on the elliptic curve discrete logarithm problem (ECDLP) [27-29] and the one-way hash function (OWHF) assumption [30,31].

Elliptic curve discrete logarithm problem (ECDLP):

We assume that the elliptic curve contains a large prime subgroup of order p (>=160 bits) which is large enough to make solving discrete logarithms in the finite field GF(p) infeasible. Suppose we have two points P, Q of an elliptic curve and let Q = xP, where x is an integer. It is computationally infeasible to find an integer x from Q = xP.

One way hash function (OWHF) assumption:

If a hash function h is one-way, it must satisfy the following conditions:

It is computationally infeasible to find a messagemfrom its hash valueh(m).

For any messagem1, it is computationally infeasible to find another messagem2such thath(m2) =h(m1).

It is computationally infeasible to find a pair of different messagesm1andm2such thath(m1) =h(m2).

In the following, we present the analysis on the security of our proposed scheme. The proposed scheme can withstand possible attacks and satisfies the following security requirements:

- (1) Entity authentication

The proposed scheme provides mutual authentication for verifying the server S and user Ui with each other. To authenticate the legitimacy of user Ui, the server can check its legitimacy by

PPT Slide

Lager Image

The adversary can successfully generate a valid maci for cheating the server only if he knows the user’s password PWi. Security of PWi is based on the OWHF assumptions as analyzed above.

On the other hand, each user Ui can authenticate the legitimacy of the server by

PPT Slide

Lager Image

The adversary can successfully masquerade as the server for cheating any user Ui if he can correctly derive Ai and PWi. Security of Ai and PWi is protected under the ECDLP and the OWHF assumption as discussed above.

- (2) Confidentiality of private key

Consider the scenario of a compromising attack that an adversary attempts to derive server’s private key xS. With the knowledge of server’s public key YS = xSG, the adversary will face the ECDLP to derive xS.

- (3) Confidentiality of the established session key

In the proposed scheme, the session key K is generated by K = H3 (RS║ Y(S,2).x║…║Y(S,n).x║tS). Only one secret variable RS is contributed to key generation. The adversary can successfully compromise RS for deriving K only if he knows ri or rS due to

PPT Slide

Lager Image

Compromising ri from Ri or rS from YS,i is an ECDLP. On the other hand, if the adversary attempts to derive K from the intercepted message δi = H4(Ai.x║K║IS), he will face the intractability of reversing the one-way hash function (i.e. OWHF problem). Hence, the confidentiality of the session key is protected under the ECDLP or OWHF assumption.

- (4) Confirmation of the established session key

In addition, the proposed scheme provides explicit key authentication (also called key confirmation) in such a way that all users can explicitly verify the authenticity of the established session key. It can see that the message δi is regarded as an authenticator by δi = H4(Ai.x║K║IS) for this purpose. If the session key K is not correctly computed by K = H3(RS║Y(S,1).x║Y(S,2).x║...║Y(S,n).x║tS), it will fail to the verification of δi by

PPT Slide

Lager Image

And if it holds, K is the session key shared among all participating users. All participating users can explicitly verify the authenticity of the established session key.

- (5) Session key contribution

We will show that the proposed scheme is a contributory key agreement one which allows every participating users to contribute their shares to the session key generation. It can be seen that the session key is computed by K = H3(RS║Y(S,1).x║Y(S,2).x║...║Y(S,n).x║tS). The secret random number ri is secretly determined by user Ui, and hence contributed to the session key generation. This means that each user equally contributes to the session key and guarantees its freshness in each session key construction, that is to say, no participant user can predetermine the session key. Hence, the proposed scheme is a contributory key agreement one.

- (6) Forward secrecy

The forward secrecy guarantees that an adversary who compromises a private key or one session key must not reveal previously established session keys. As mentioned of the proposed scheme, the session key K is generated by K = H3(RS║Y(S,1).x║Y(S,2).x║...║Y(S,n).x║tS). The session key is protected by the secret RS. It is easy to see that compromising rs from YS,i = rsRi is an ECDLP. Although the server’s private key xs is disclosed for some reason, the proposed scheme can withstand the attack that any adversary with the knowledge of xs attempts to derive one current session key. The adversary cannot compute K without knowing RS. Hence, the adversary cannot derive any one session key with the compromised private key xs.

Consider the scenario that the adversary with compromised one session key attempts to derive any one previously established session key. Since the proposed scheme is a contributory one as mentioned above, the session key for distinct session will be refreshed by the random secret values. The session keys can be regarded as a random number generated by all participating users. Hence, the adversary knowing one session key cannot derive previously established one, which implies the forward secrecy is achieved.

- (7) User anonymity

The user sends the request (Ri,Ci,ti) to the server in each login. The adversary may analyze the login message. It is infeasible to derive the identity of the user from the login message, where maci = H2 (Ai.x║PWi,x║Ii║ti). Since the timestamp ti is different for sessions and the identity Ii is protected by the one-way hash function. Therefore, the adversary cannot identify the person who wants to login.

The identity information Ii of the user Ui is encrypted with Ci. In encrypted message Ci of the proposed scheme, the identity Ii is encrypted so that no identity-related information is leaked. The server can decrypt Ii on the receipt of message Ci and then recognize the identity of the participating user Ui. Any adversary who eavesdrops on the communication channel and wants to recover the identity of the user Ui faces the intractability of the OWHF assumption. Therefore, user anonymity is achieved through using an encrypted message Ci.

- (8) Replay attack and impersonation attack

This kind of replay attack, the attacker listens to communication between the sender and the receiver and then replays the same message of the user or the server. Our proposed scheme uses the timestamp to withstand replay attacks. Since the timestamp ti or tS is included in maci or K, the adversary cannot replay the intercepted messages to masquerade as a valid user or server. The attacker cannot work because he will fail the validity of the time interval (Ti - ti) ≥ ΔT or (T'i - ts) ≥ ΔT. This also implies the proposed scheme can withstand the impersonation attacks.

On the other hand, the adversary impersonates as the legitimate user and forges the message using the information obtained from the scheme. The adversary needs to guess (Ai,maci,mi) to masquerades as a legitimate user to forge a valid login. The adversary cannot obtain (Ai,maci,mi) from intercepted communication information Ri,Ci and ti. Therefore, our proposed scheme is secure against impersonation attack.

- (9) Off-line dictionary attack

It is hard for any adversary to derive the user password pwi or server private key xs from recorded messages, because the adversary will face the OWHF assumption and the ECDLP.

- 4.2 Performance Evaluation

In this subsection, we will evaluate the performance of the proposed scheme and make comparison with related researches in Table 2. The computational complexities represent how many (or how heavy) cryptographic operations such as symmetric encryption or one-way hash function are adopted in the communication protocol. For simplicity, we denote the following notation to evaluate the performance of our proposed scheme and related researches:

n: the number of participating users that want to agree on a secret session key shared among them;

|a|: the bit-length of a variable a.

Table 2 compares the total computation costs required by user and the server in the proposed protocol and that proposed by related researches. Note that the time for computing a modular addition and that for XOR function are ignored here for that they are negligible as compared to the other complexities measures. From [32-35], the time complexities can be respectively regarded as TEM ≈ 29TMUL, TEA ≈ 0.12TMUL, TEXP ≈ 240TMUL, TINV ≈ 10TMUL, and TH ≈ 4TMUL. To facilitate the comparisons in Fig. 3, we converted the costs of all operations into cost of TMUL. The results of the comparisons indicate that the proposed scheme imposes significantly lower computational costs than previously proposed schemes.

Considering the communication overheads, we let the adopted one-way hash function be SHA-1 [36] (the bit length of the output is 160 bits), |p’| = 1024 bits, |q’| = 160 bits, |p| = |q| = 163 bits, respectively. The timestamp t, the identity, and the Mac value are all assumed to be 160 bits. We thus compared the size of messages transmitted using the proposed scheme and that proposed by related researches. Fig. 4 presents the results. In the communication overheads of user i, the cost of the proposed scheme is 2*163+2*160+160 bits, whereas in the communication overheads of server S, the cost is 4*163+2*160+160 bits. The results of the comparisons indicate that the proposed scheme imposes significantly lower communication costs than previously proposed schemes.

From Table 2, Fig. 3 and Fig. 4, they obviously show that our proposed scheme is more efficient than previously proposed schemes in term of computational complexities and communication overheads.

We also summarize the functionalities of the proposed scheme and make comparison with related researches in Table 3. It demonstrates that our scheme can achieve key authentication, key confirmation and user anonymity. The transmission rounds include all independent steps that can be sent and received in parallel. Moreover, our proposed scheme rearranges all independent messages as a round. Our proposed scheme only requires two round-messages, which is less than required by previously proposed schemes.

Recently, several researchers have proposed many 3-PAKE protocols. However, we have scrutinized carefully recently published Kwon et al.’s protocol, and it has been observed that the same protocol suffers from several security weaknesses such as key authentication, key confirmation and anonymity. To improve the efficiency and solve the security problem of the above 3-PAKE scheme, we proposed a multi-party PAKE scheme with privacy preservation based on the ECC.

The ECC is more commercial importance and has attracted attention because of a smaller key size, reducing storage, low on CPU consumption, and transmission requirements. The proposed scheme is to use ECC which provides striking advantage of shorter key size compared to conventional algorithm (e.g., RSA algorithm), while preserving the equivalent security level. Additionally, the proposed scheme requires only two round-messages and achieves better performance efficiency. Accordingly, the proposed scheme is suitable for applied in mobile environment.

The proposed scheme assumes that the server is honest and follows the required security service agreement. However, malicious servers are still possible, and we therefore plan to develop a M-PAKE scheme for multi-server mobile networks capable of withstanding malicious attacks even from the servers themselves.

BIO

Chung-Fu Lu received the B.S. and M.S. degree in Electrical Engineering from National Taiwan University of Science and Technology in 1991 and 1993 respectively. He received the Ph.D degree in information management from the National Taiwan University of Science and Technology, Taiwan in 2011. Since August 2011, he has been the Associate Professor in the Department of Information Management, Chihlee University of Technology, Taiwan. His current research includes cryptography, information security, network security, and mobile commerce.